By now you’ve probably heard or intrinsically learned that when doing business online, look for the lock. In every browser these days, even on mobile, there is a little lock icon that lets you know that everything you’re doing is secure and encrypted. But have you wondered how? How does your browser know? This feature that has enabled the Internet to grow into a worldwide marketplace is known as the public key infrastructure.
What is a public key?
There are currently two ways we know how to encrypt something. The first is for two parties to share a password. This is the oldest and simplest way to do encryption. However, it has a problem: both computers, and only those two computers, must know the password. This method becomes tricky to do on a large scale (ie: the Internet). The other way is known as two key encryption. It uses a very complex math theory that boils down to two keys, which are a lot like passwords. Each key can be used to encrypt and decrypt, but it can only decrypt something encrypted by the other key. In this scenario, you would always keep one key secret and hidden in your possession, while the other could be copied and given out publicly. This public key could encrypt a message that only your hidden key could decrypt. Additionally, you could encrypt a message with your private key that everyone can decrypt as a way to prove you are who you say you are.
What is a certificate?
If you’ve dabbled with running a website, you may have heard of something called a certificate. These certificates are downloaded whenever you visit a secure website, and they do two things:
1) They give you a public key for the website so you can encrypt things to give to it (like your order or login information)
2) They contain a message proving that the website is who it says it is (and not amazon-gonna-steal-your-card.com)
Computers have been able to generate their own certificates for years, and there is technically nothing stopping a hacker from pretending to be google.com or amazon.com and making their own certificate to trick you. This is where the infrastructure comes in, and the idea of a chain of trust.
Who vouches for you?
In the late 90’s and early 00’s, there were several companies that were created to do one thing: Create certificates for you. They did a background check of sorts on your company and encrypted their message with your key and their key, so you knew it came from them. So if you trusted these companies, you could trust any certificates they sold to others. In the beginning this was ludicrously expensive, at nearly $1000 a year. Over time this cost has gone down as more and more companies have been included as “trusted roots.” These companies sometimes give their approval for other companies to sell certificates below them. This creates a chain of trust. So if you buy a certificate from any of these 2nd or 3rd tier companies, you get the trust that leads all the way back to the root.
Expiration and Revocation
If you do purchase a certificate, you might notice that it has an expiration date. You probably think this is greedy, as there is no reason it shouldn’t last forever. However, the reality is that browsers employ one other method of security: checking that the certificate is valid. Computers get hacked, often. In the event that the private key for a webserver is compromised, it can be reported (much like a stolen credit card). This causes the issuing authority to revoke it, and place it on a list of revoked certificates. Originally this was an actual list, and each Authority kept their own. To prevent them from growing too large, they made certificates expire, so that after the expiration they could be removed. Now, these are handled by third parties in trusted databases. The expiration remains to prevent old, less secure certificates from being cracked and used as computers get more powerful.
Should I buy a certificate for my website?
If you are selling things, yes. Also if you have private data hidden behind a login, it’d be a good idea. If you are wondering if your cat website needs it, the answer is maybe. Were this a year or two ago, the answer would have been no, but a website called Let’s Encrypt was started in late 2015 by the Electronic Frontier Foundation which provides free SSL certificates.